In previous tutorials in this series, we went over generating SSH keys and how to use them. We’ll wrap up the series by showing you how to turn off password authentication on your server.
Why Configure for SSH Key Authentication Only
As mentioned in Part 1, SSH key authentication requires both “something you know” (the passphrase) and “something you have” (the SSH private key file). Some attacker on the other side of the world might guess or brute force your password, or if you’re sloppy you might reuse it on some breached web site. But none of that matters if the bad guy doesn’t have your SSH private key file.
This doesn’t mean you shouldn’t still use strong passphrases with your SSH private key file. If for some reason, your client system (such as your home PC or laptop) was compromised, then security rests with this passphrase, so follow normal best practices for strong passphrases.
Disabling Password Authentication
First, test that SSH key authentication works (see Part 2) so you don’t lock yourself out.
Using your favorite editor (such as vi or nano), edit the /etc/ssh/sshd_config file. The location is the same on both Debian- and CentOS-based systems.
sudo vi /etc/ssh/sshd_configChange these lines as follows:
PubkeyAuthentication yes PasswordAuthentication no
Then restart sshd:
systemctl restart sshd
Now try to login. Here I will use an account that was setup and has not had an ssh key configured:
$ ssh testuser@myserver Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Wrapping Up
Here are the key takeaways from this series:
- SSH key authentication is based on public key encryption. The private key should be zealously protected. On the other hand, the public key does not need to be kept secret. The public key is what is installed on various servers you wish to connect to.
- SSH key authentication is superior to passwords because it requires the user to have the SSH key file in his/her possession, not merely know a secret passphrase.
- You should set a solid passphrase on your SSH private key file in case it is lost/stolen/compromised.
- The ssh-copy-id utility allows you to very easily setup your SSH key on remote systems if you have a Linux or macOS client. On Windows, you’ll need to proceed with manual steps.
- Disabling password authentication on your servers completes the security setup. Once done, the security of your server is significantly improved.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- cPanel VPS Licenses for Only $4.00/Month!Dedicated for Only $4.50/Month!But There’s One Important Detail… - April 18, 2024
- Gloo.top – a Cool LowEndTalk Member Link Shortener You Should Check Out! - April 18, 2024
- Setup a Highly Available WordPress Site From Scratch, 2024 Edition!Part 7: Round-Robin DNS, Let’s Encrypt, & Conclusion - April 17, 2024
Leave a Reply